ci/cd

.dockerignore

@@ -5,6 +5,8 @@ internalsite/node_modules
 # Go build artifacts and binaries
 build
 dist
+!internal/site/dist
+!internal/site/dist/**
 *.exe
 beszel-agent
 beszel_data*

.github/workflows/docker-images.yml

@@ -1,201 +1,140 @@
-name: Make docker images
+name: Build Docker images
 
 on:
   push:
+    branches:
+      - "**"
     tags:
       - "v*"
 
+permissions:
+  contents: read
+  packages: write
+
+concurrency:
+  group: docker-images-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
+    name: ${{ matrix.name }}
     runs-on: ubuntu-latest
     timeout-minutes: 60
     strategy:
       fail-fast: false
-      max-parallel: 5
       matrix:
         include:
-          # henrygd/beszel
+          - name: Hub
-          - image: henrygd/beszel
+            image: beszel
             dockerfile: ./internal/dockerfile_hub
-            registry: docker.io
+            platforms: linux/amd64,linux/arm64,linux/arm/v7
-            username_secret: DOCKERHUB_USERNAME
-            password_secret: DOCKERHUB_TOKEN
             tags: |
-              type=raw,value=edge
+              type=raw,value=latest,enable={{is_default_branch}}
+              type=raw,value=edge,enable={{is_default_branch}}
+              type=ref,event=branch
+              type=sha,prefix=sha-
               type=semver,pattern={{version}}
               type=semver,pattern={{major}}.{{minor}}
               type=semver,pattern={{major}}
-              type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
 
-          # henrygd/beszel-agent:alpine
+          - name: Agent
-          - image: henrygd/beszel-agent
+            image: beszel-agent
-            dockerfile: ./internal/dockerfile_agent_alpine
+            dockerfile: ./internal/dockerfile_agent
-            registry: docker.io
+            platforms: linux/amd64,linux/arm64,linux/arm/v7
-            username_secret: DOCKERHUB_USERNAME
-            password_secret: DOCKERHUB_TOKEN
             tags: |
-              type=raw,value=alpine
+              type=raw,value=latest,enable={{is_default_branch}}
+              type=raw,value=edge,enable={{is_default_branch}}
+              type=ref,event=branch
+              type=sha,prefix=sha-
+              type=semver,pattern={{version}}
+              type=semver,pattern={{major}}.{{minor}}
+              type=semver,pattern={{major}}
+
+          - name: Agent Alpine
+            image: beszel-agent
+            dockerfile: ./internal/dockerfile_agent_alpine
+            platforms: linux/amd64,linux/arm64,linux/arm/v7
+            tags: |
+              type=raw,value=alpine,enable={{is_default_branch}}
+              type=raw,value=edge-alpine,enable={{is_default_branch}}
+              type=ref,event=branch,suffix=-alpine
+              type=sha,prefix=sha-,suffix=-alpine
               type=semver,pattern={{version}}-alpine
               type=semver,pattern={{major}}.{{minor}}-alpine
               type=semver,pattern={{major}}-alpine
 
-          # henrygd/beszel-agent-nvidia
+          - name: Agent NVIDIA
-          - image: henrygd/beszel-agent-nvidia
+            image: beszel-agent-nvidia
             dockerfile: ./internal/dockerfile_agent_nvidia
             platforms: linux/amd64
-            registry: docker.io
-            username_secret: DOCKERHUB_USERNAME
-            password_secret: DOCKERHUB_TOKEN
             tags: |
-              type=raw,value=edge
+              type=raw,value=latest,enable={{is_default_branch}}
+              type=raw,value=edge,enable={{is_default_branch}}
+              type=ref,event=branch
+              type=sha,prefix=sha-
               type=semver,pattern={{version}}
               type=semver,pattern={{major}}.{{minor}}
               type=semver,pattern={{major}}
-              type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
 
-          # henrygd/beszel-agent-intel
+          - name: Agent Intel
-          - image: henrygd/beszel-agent-intel
+            image: beszel-agent-intel
             dockerfile: ./internal/dockerfile_agent_intel
             platforms: linux/amd64
-            registry: docker.io
-            username_secret: DOCKERHUB_USERNAME
-            password_secret: DOCKERHUB_TOKEN
             tags: |
-              type=raw,value=edge
+              type=raw,value=latest,enable={{is_default_branch}}
+              type=raw,value=edge,enable={{is_default_branch}}
+              type=ref,event=branch
+              type=sha,prefix=sha-
               type=semver,pattern={{version}}
               type=semver,pattern={{major}}.{{minor}}
               type=semver,pattern={{major}}
-              type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
-
-          # ghcr.io/henrygd/beszel
-          - image: ghcr.io/${{ github.repository }}/beszel
-            dockerfile: ./internal/dockerfile_hub
-            registry: ghcr.io
-            username: ${{ github.actor }}
-            password_secret: GITHUB_TOKEN
-            tags: |
-              type=raw,value=edge
-              type=semver,pattern={{version}}
-              type=semver,pattern={{major}}.{{minor}}
-              type=semver,pattern={{major}}
-              type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
-
-          # ghcr.io/henrygd/beszel-agent
-          - image: ghcr.io/${{ github.repository }}/beszel-agent
-            dockerfile: ./internal/dockerfile_agent
-            registry: ghcr.io
-            username: ${{ github.actor }}
-            password_secret: GITHUB_TOKEN
-            tags: |
-              type=raw,value=edge
-              type=raw,value=latest
-              type=semver,pattern={{version}}
-              type=semver,pattern={{major}}.{{minor}}
-              type=semver,pattern={{major}}
-              type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
-
-          # ghcr.io/henrygd/beszel-agent-nvidia
-          - image: ghcr.io/${{ github.repository }}/beszel-agent-nvidia
-            dockerfile: ./internal/dockerfile_agent_nvidia
-            platforms: linux/amd64
-            registry: ghcr.io
-            username: ${{ github.actor }}
-            password_secret: GITHUB_TOKEN
-            tags: |
-              type=raw,value=edge
-              type=semver,pattern={{version}}
-              type=semver,pattern={{major}}.{{minor}}
-              type=semver,pattern={{major}}
-              type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
-
-          # ghcr.io/henrygd/beszel-agent-intel
-          - image: ghcr.io/${{ github.repository }}/beszel-agent-intel
-            dockerfile: ./internal/dockerfile_agent_intel
-            platforms: linux/amd64
-            registry: ghcr.io
-            username: ${{ github.actor }}
-            password_secret: GITHUB_TOKEN
-            tags: |
-              type=raw,value=edge
-              type=semver,pattern={{version}}
-              type=semver,pattern={{major}}.{{minor}}
-              type=semver,pattern={{major}}
-              type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
-
-          # ghcr.io/henrygd/beszel-agent:alpine
-          - image: ghcr.io/${{ github.repository }}/beszel-agent
-            dockerfile: ./internal/dockerfile_agent_alpine
-            registry: ghcr.io
-            username: ${{ github.actor }}
-            password_secret: GITHUB_TOKEN
-            tags: |
-              type=raw,value=alpine
-              type=semver,pattern={{version}}-alpine
-              type=semver,pattern={{major}}.{{minor}}-alpine
-              type=semver,pattern={{major}}-alpine
-
-          # henrygd/beszel-agent (keep at bottom so it gets built after :alpine and gets the latest tag)
-          - image: henrygd/beszel-agent
-            dockerfile: ./internal/dockerfile_agent
-            registry: docker.io
-            username_secret: DOCKERHUB_USERNAME
-            password_secret: DOCKERHUB_TOKEN
-            tags: |
-              type=raw,value=edge
-              type=semver,pattern={{version}}
-              type=semver,pattern={{major}}.{{minor}}
-              type=semver,pattern={{major}}
-              type=raw,value={{sha}},enable=${{ github.ref_type != 'tag' }}
-
-    permissions:
-      contents: read
-      packages: write
 
     steps:
-      - name: Checkout
+      - name: Check out code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
-      - name: Set up bun
+      - name: Normalize GHCR owner
+        id: ghcr
+        run: echo "owner=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_OUTPUT"
+        shell: bash
+
+      - name: Set up Bun
         uses: oven-sh/setup-bun@v2
 
-      - name: Install dependencies
+      - name: Install frontend dependencies
         run: bun install --frozen-lockfile --cwd ./internal/site
+        shell: bash
 
-      - name: Build site
+      - name: Build frontend
         run: bun run --cwd ./internal/site build
+        shell: bash
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3
+
+      - name: Sign in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
 
       - name: Docker metadata
         id: metadata
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@v5
         with:
-          images: ${{ matrix.image }}
+          images: ghcr.io/${{ steps.ghcr.outputs.owner }}/${{ matrix.image }}
           tags: ${{ matrix.tags }}
 
-      # https://github.com/docker/login-action
+      - name: Build and publish
-      - name: Login to Docker Hub
+        uses: docker/build-push-action@v6
-        env:
-          password_secret_exists: ${{ secrets[matrix.password_secret] != '' && 'true' || 'false' }}
-        if: github.event_name != 'pull_request' && env.password_secret_exists == 'true'
-        uses: docker/login-action@v4
         with:
-          username: ${{ matrix.username || secrets[matrix.username_secret] }}
+          context: .
-          password: ${{ secrets[matrix.password_secret] }}
-          registry: ${{ matrix.registry }}
-
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v7
-        with:
-          context: ./
           file: ${{ matrix.dockerfile }}
-          platforms: ${{ matrix.platforms || 'linux/amd64,linux/arm64,linux/arm/v7' }}
+          platforms: ${{ matrix.platforms }}
-          push: ${{ github.ref_type == 'tag' && secrets[matrix.password_secret] != '' }}
+          push: true
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}

.github/workflows/release.yml

@@ -1,56 +0,0 @@
-name: Make release and binaries
-
-on:
-  push:
-    tags:
-      - "v*"
-
-permissions:
-  contents: write
-
-jobs:
-  goreleaser:
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - name: Set up bun
-        uses: oven-sh/setup-bun@v2
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile --cwd ./internal/site
-
-      - name: Build site
-        run: bun run --cwd ./internal/site build
-
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          cache-dependency-path: go.sum
-
-      - name: Set up .NET
-        uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: "9.0.x"
-
-      - name: Build .NET LHM executable for Windows sensors
-        run: |
-          dotnet build -c Release ./agent/lhm/beszel_lhm.csproj
-        shell: bash
-
-      - name: GoReleaser beszel
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          workdir: ./
-          distribution: goreleaser
-          version: latest
-          args: release --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.TOKEN || secrets.GITHUB_TOKEN }}
-          WINGET_TOKEN: ${{ secrets.WINGET_TOKEN }}
-          IS_FORK: ${{ github.repository_owner != 'henrygd' }}

.github/workflows/test.yml

@@ -1,132 +0,0 @@
-name: CI
-
-on:
-  pull_request:
-    branches:
-      - main
-
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-
-concurrency:
-  group: ci-${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  frontend-build:
-    name: Frontend Build
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v6
-
-      - name: Set up bun
-        uses: oven-sh/setup-bun@v2
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile --cwd ./internal/site
-        shell: bash
-
-      - name: Build site
-        run: bun run --cwd ./internal/site build
-        shell: bash
-
-  go-test:
-    name: Go Tests
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v6
-
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          cache-dependency-path: go.sum
-
-      - name: Run tests
-        run: go test -tags=testing ./...
-        shell: bash
-
-  release-smoke:
-    name: Release Smoke Build
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v6
-
-      - name: Set up bun
-        uses: oven-sh/setup-bun@v2
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile --cwd ./internal/site
-        shell: bash
-
-      - name: Build site
-        run: bun run --cwd ./internal/site build
-        shell: bash
-
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          cache-dependency-path: go.sum
-
-      - name: Set up .NET
-        uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: "9.0.x"
-
-      - name: Build Windows sensor helper
-        run: dotnet build -c Release ./agent/lhm/beszel_lhm.csproj
-        shell: bash
-
-      - name: Fetch Windows smartctl asset
-        run: go generate -run fetchsmartctl ./agent
-        shell: bash
-
-      - name: Build Linux binaries
-        run: go build ./internal/cmd/hub ./internal/cmd/agent
-        shell: bash
-
-      - name: Build Windows agent
-        run: GOOS=windows GOARCH=amd64 go build ./internal/cmd/agent
-        shell: bash
-
-  docker-smoke:
-    name: Docker Smoke Build
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - dockerfile: ./internal/dockerfile_hub
-            image: beszel-hub-smoke
-          - dockerfile: ./internal/dockerfile_agent
-            image: beszel-agent-smoke
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v6
-
-      - name: Set up bun
-        uses: oven-sh/setup-bun@v2
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile --cwd ./internal/site
-        shell: bash
-
-      - name: Build site
-        run: bun run --cwd ./internal/site build
-        shell: bash
-
-      - name: Build Docker image
-        run: docker build --file "${{ matrix.dockerfile }}" --tag "${{ matrix.image }}" .
-        shell: bash

.github/workflows/vulncheck.yml

@@ -1,34 +0,0 @@
-# https://github.com/minio/minio/blob/master/.github/workflows/vulncheck.yml
-
-name: VulnCheck
-on:
-  pull_request:
-    branches:
-      - main
-
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read # to fetch code (actions/checkout)
-
-jobs:
-  vulncheck:
-    name: VulnCheck
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v6
-      - name: Set up Go
-        uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          cache-dependency-path: go.sum
-      - name: Get official govulncheck
-        run: go install golang.org/x/vuln/cmd/govulncheck@latest
-        shell: bash
-      - name: Run govulncheck
-        run: govulncheck -show verbose ./...
-        shell: bash